"We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever," Schneier writes in a wonderfully entertaining blog post.
"And people are forever ignoring the lessons. One basic reason is psychological: we just aren't very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald's Super Monster Meal sounds really good right now."
"Similarly, computer security is an abstract benefit that gets in the way of enjoying the internet. Good practices might protect me from a theoretical attack at some time in the future, but they're a lot of bother right now and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy; no one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: security is never salient."
Schneier expands his ideas by looking at areas where awareness training or education initiatives work (driving, HIV prevention) and where they fail (training the general public to wash their hands, make drug decisions at a pharmacy, food safety).
He summarises the obstacles in the path of effective security training. "The threats change constantly, the likelihood of failure is low, and t...